Vulnerability Management Life Cycle

The Vulnerability Management Life Cycle is intended to allow organizations to identify computer system security weaknesses; prioritize assets; assess, report, and remediate the weaknesses; and verify that they have been eliminated.

In computer security, a vulnerability is a security flaw or weakness that allows an intruder to reduce a system’s information assurance. A vulnerability requires three elements: a system weakness, an intruder’s access to the weakness, and the intruder’s ability to exploit the weakness using a tool or technique.

Steps in the Vulnerability Management Life Cycle

The following diagram illustrates the steps in the Vulnerability Management Life Cycle.

Vulnerability Management Life Cycle: Discover, Prioritize Assets, Assess, Report, Remediate, and Verify

The steps in the Vulnerability Management Life Cycle are described below.

  1. Discover: Inventory all assets across the network and identify host details including operating system and open services to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule.
  2. Prioritize Assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to your business operation.
  3. Assess: Determine a baseline risk profile so you can eliminate risks based on asset criticality, vulnerability threat, and asset classification.
  4. Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
  5. Remediate: Prioritize and fix vulnerabilities in order according to business risk. Establish controls and demonstrate progress.
  6. Verify: Verify that threats have been eliminated through follow-up audits.
Page last reviewed: January 20, 2021